"Cherry Picker" PoS Malware Cleans Up After Itself

A point-of-sale (PoS) malware that went largely undetected for the past several years has been analyzed by researchers at Trustwave.

Dubbed by the security firm “Cherry Picker,” the threat has been around since at least 2011, but it managed to stay under the radar thanks to its sophisticated functionality and use in highly targeted attacks.

In 2011, Trustwave started analyzing several pieces of malware designed to inject processes with cardholder data. One of these toolsets consisted of two components: sr.exe, which is a command line interface, and searcher.dll, which got injected into targeted processes by sr.exe.

This toolset was often found on infected systems alongside other threats, such as a PoS malware created using the AutoIt scripting language, and Rdasrv, one of the earliest PoS RAM scrapers.

Another threat seen on systems infected with searcher.dll is Cherry Picker, which has managed to stay under the radar. Trustwave reported spotting three versions of the malware, each with slight functionality improvements compared to the previous version.

According to researchers, Cherry Picker relies on a new memory scraping algorithm, it uses a file infector for persistence, and it comes with a cleaner component that removes all traces of the infection from the system.

While in some cases the PoS malware created a registry entry for persistence, in more recent instances experts discovered an updated version of sr.exe, srf.exe, which has been used to install the malware and inject a DLL into processes.

In basketball, a cherry picker is a player who doesn’t play defense with the rest of the team and instead sits near the opponent’s basket waiting for a pass after a change of possession, enabling them to score easily. Just like a cherry picker in basketball, the Cherry Picker malware doesn’t target all processes and instead focuses on one process that is known to contain card data.

The threat’s configuration file specifies which process should be injected, and if that process is not found, the malware exits. This indicates that the attacker has already conducted reconnaissance on the system to determine which process should be targeted.

The latest version of the PoS malware relies on an API called QueryWorkingSet to scrape the memory. The harvested data is then written into a file and sent to the attacker’s server.

Once the data is exfiltrated, the cleaning process begins. The malware developers created a targeted cleaner tool designed to restore the infected system to a clean state. The threat relies on the popular remote control software TeamViewer to overwrite and remove files, logs and registry entries.

“Cherry Picker’s use of configuration files, encryption, obfuscation, and command line arguments have allowed the malware to remain under the radar of many security companies and AV’s,” Trustwave researchers said. “The introduction of new way to parse memory and find CHD, a sophisticated file infector, and a targeted cleaner program have allowed this malware family to go largely unnoticed in the security community.”

Trustwave says it’s currently investigating a Cherry Picker attack targeting a company in the food and beverage industry, but the security firm warns that any business using PoS applications is at risk.

Additional technical details on Cherry Picker are available in a blog post from Trustwave.